I have finally found this : https://issues.jasig.org/browse/CASC-182.
I have tried setting redirectAfterValidation to false, and it did break the loop. However, the remoteUser attribute is now unavailable (httpRequest.getRemoteUser() returns null) in the request at the IdP. I don't get why, since HttpServletRequestWrapperFilter and AssertionThreadLocalFilter should still be called. I feel that my original idea to remove the assertion from the session before getting to the CAS client filters is simpler, and saves some configuration burden. Le 24/07/2012 11:06, yanis aumont a écrit : > Thanks for the answers ! >> The only subtlety that I can perhaps point out is that the setting the >> 'renew' parameter for the filter applies to how the "CAS server" should >> behave when it receives a /login request from the client. Presently, I >> don't think there exists a renew-specific parameter for the client itself >> to enforce authN. > This is exactly how I understood renew worked while studying the code. > This is why I find this description - > http://www.jasig.org/cas/client-integration/renew - puzzling. > > > Le 24/07/2012 02:53, Scott Battaglia a écrit : >> The user is only prompted if an existing local session does not >> exist. If you want to force the authentication each time they come >> to the IdP then either set the session timeout very low (i.e. 5 >> minutes and use renew=true) or don't use the session storage at all >> (meaning each request would send an authentication request to the CAS >> server). > Setting the session timeout to a short duration would not exactly > answer my needs (forced authentication should not depend on time-based > criteria). > > Using the useSession parameter feels much closer to meet my > expectations. However, I have issues dealing with it. > These issues were already mentioned in some other topics (by the same > user) but have never really been addressed : > http://jasig.275507.n4.nabble.com/Several-Questions-td2275194.html#a2275206 > http://jasig.275507.n4.nabble.com/useSession-false-problem-td2282618.html > > The first post of the second topic > (http://jasig.275507.n4.nabble.com/useSession-false-problem-td2282618.html) > describes exactly what I face when trying to use useSessions=false. > > The CAS client first redirects to the server, the user authenticates, > then the client has to validate the ticket. But there is no assertion > nor ticket in the request (because of useSessions=false), so the test > in AuthenticationFilter I referred to in my first post fails, and the > user is redirected to the server for authentication. Endless loop. > When used in conjunction with "renew=true", the only difference is > that the user is prompted for credentials each time he gets to the CAS > server, but this has no effect on the loop. > > The mere existence of the useSession parameter strengthens my idea > that destroying the assertion (or even the session) before accessing > to the CAS client filters when forced reauth is required is not an issue. > >> > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
